H3-2026-0050¶

Entra ID Privileged Role Administrator Can Escalate to Global Administrator

Description¶

In Microsoft Entra ID, a user or service principal holding the Privileged Role Administrator directory role can assign any directory role – including Global Administrator – to any Entra ID object. This allows a compromised account to immediately self-escalate to full tenant control without requiring any additional permissions.

Impact¶

An attacker who compromises a Privileged Role Administrator account can assign the Global Administrator role to themselves or to a newly created account, gaining full control over the Entra ID tenant and all associated cloud resources.

References¶

• Microsoft - Privileged Role Administrator role
• MITRE ATT&CK Technique: T1098.003: Account Manipulation: Additional Cloud Roles